Software Licensing AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE



Similar documents
Business Continuity Planning

SOFTWARE MANAGEMENT EXECUTIVE SUMMARY

Software Asset Management Toolkit

10 Reasons why Visma is the best software supplier for your business

Workflow Templates Library

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

WHO SHOULD READ THIS POLICY

IT Governance and Outsourcing

The University of Georgia Service Center Policy

ISACA is responding to the PCAOB questions principally from an information technology (IT) perspective.

IT OUTSOURCING SECURITY

Internal Control Guide & Resources

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Domain 1 The Process of Auditing Information Systems

Application for CISA Certification

UW-EXTENSION BUSINESS SERVICES POLICY AND PROCEDURE DOCUMENT (BSPPD) #18 CAPITAL EQUIPMENT

Top 10 Most Popular Reports in Enterprise Reporter

IT06 - Information Technology (IT) Hardware and Software Policy

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

Contracting Guidelines with EHR Vendors

INFORMATION SECURITY Humboldt State University

FINANCIAL AND PURCHASING RECORDS. Includes records showing a summary of receipts, disbursements and other activity against each account.

FINANCIAL POLICIES & PROCEDURES USER GUIDE SECTION 15

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Software Asset Management (SAM) Standard Ver. 4.1

Certified Information Systems Auditor (CISA)

R345, Information Technology Resource Security 1

Technical Upgrade Considerations for JD Edwards World Customers. An Oracle White Paper February 2013

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

Fixed Asset Policy & Procedures. Content

ENVIRONMENTAL, HEALTH & SAFETY MANAGEMENT SYSTEMS MANUAL

Hardware and Software

Financial Reporting by Superannuation Plans

Draft Internal Audit Report Software Licensing Audit. December 2009

Proven LANDesk Solutions

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

University of South Wales Software Policies

Asset Replacement Strategy and Procedure Draft

Software Licenses Managing the Asset and Related Risks

DETAIL AUDIT PROGRAM Information Systems General Controls Review

Pervasive Software Inc. Pervasive PSQL v11 Insurance License Agreement

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

ARKANSAS TECH UNIVERSITY

INSURANCE ACT R.S.A. c. I16

Software License Asset Management (SLAM) Part 1

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

PCI DSS Reporting WHITEPAPER

Mojave Water Agency. Fixed Assets and Surplus Property Policy

New Jersey City University Information Technology Equipment Policies & Procedures Page 1 of 5

Cloud computing. Advantages and disadvantages

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

Interagency Science Working Group. National Archives and Records Administration

Symantec Endpoint Protection Analyzer Report

DISPOSAL OF MOVEABLE CAPITAL EQUIPMENT

IT - General Controls Questionnaire

INFORMATION SECURITY California Maritime Academy

TTC AUDIT COMMITTEE REPORT NO.

HITS HR & PAYROLL CLOUD MODEL WHITEPAPER

OFFICE OF AUDITS & ADVISORY SERVICES MOBILE DEVICE MANAGEMENT COUNTYWIDE AUDIT FINAL REPORT. County of San Diego Auditor and Controller

President and Board of Trustees Miami University 107 Roudebush Hall Oxford, Ohio 45056

Information Security Governance:

Annual Risk Assessment and Audit Plan Fiscal Year 2015/2016

Website Administration and Development (WSAD)

Risk Assessment Questionnaire

Anchor Bay Schools Software Policy

SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Texas A&M University System. Asset Management Manual

Collin County Community College District Business Administrative Services Procedures Manual Section 8 Capital Assets

Dell Advanced Network Monitoring Services Service Description

Maintenance of Assets Records and Internal Audit

C-DAC Medical Informatics Software Development Kit End User License Agreement

Property Accountability and Inventory Control. Finance and Accounting

Newcastle University Information Security Procedures Version 3

Transcription:

Systems Audit and Control Association www.isaca.org Formatted Software Licensing AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE Formatted The Systems Audit and Control Association With more than 23,000 members in over 100 countries, the Systems Audit and Control Association (ISACA ) is a recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences, administers the globally respected CISA (Certified Systems Auditor ) designation earned by more than 25,000 professionals worldwide, and develops globally applicable information systems (IS) auditing and control standards. An affiliated foundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, established by the association and foundation in 1998, is designed to be a "think tank" offering presentations at both ISACA and non-isaca conferences, publications and electronic resources for greater understanding of the roles and relationship between IT and enterprise governance. Purpose of These Audit Programs and Internal Control Questionnaires One of the goals of ISACA s Education Board is to ensure that educational products developed by ISACA support member and industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released audit programs and internal control questionnaires on various topics for member use through the member-only web site and K-NET. These products are intended to provide a basis for audit work. E-business audit programs and internal control questionnaires were developed from material recently released in ISACA s e-commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte & Touche and ISACA s Research Board and are recommended for use with these audit programs and internal control questionnaires. Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed and edited by the Education Board. The Education Board cautions users not to consider these audit programs and internal control questionnaires to be all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on an organization s constraints, policies, practices and operational environment. Disclaimer The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the professional development of ISACA members and others in the IS Audit and Control community. Although we trust that they will be useful for that purpose, ISACA cannot warrant that the use of this material would be adequate to discharge the legal or professional liability of members in the conduct of their practices. September 2001 1

Software Inventories Obtain software inventories of all programs located on the network. Obtain the inventory of all software that is officially authorized to be installed on the organization s workstations. This should include: - Software - the name, platform and current version(s) of the software. There can be multiple entries for identical software purchased at different times if this is more convenient for the administrator. There can also be multiple entries if the company has mixed versions of the same software - Number of copies purchased - Date purchased - the original purchase date(s) - Updates - a history of any updates applied, including a statement of the original version number - Evidence of License - a statement of how the administrator can demonstrate a right to use the software. This could be the location of the license certificates; a purchase order number or whatever is acceptable. The entry should be specific enough to allow locating the actual evidence. - Deployment - how the licenses are being used and controlled. For example, a list of the PCs on which it is installed or the server(s) it is installed on together with a statement of the license management mechanism and the level set. - Comments - any restrictions on the use of the license, maintenance contracts in place, "sharing" agreements with other units within the Company, etc. If the organization does not have this information readily available, that s the first audit issue. If there is no central person/group charged with the responsibility of maintaining this information, that s the next audit issue. Applicable policies and procedures Get operating procedures and policies for software acquisition, - Obtain procedures and policies relating to acquisition of non-official software on organization equipment. If the policies do not contain explicit guidance on both official and nonofficial software, this is another audit issue 2

Applicable policies and procedures Get operating procedures and policies for license compliance, including continuous and periodic monitoring. Obtain procedures and policies relating to installation of non-official software on organization equipment. If the policies do not contain explicit guidance on both official and nonofficial software, this is another audit issue. Proof of monitoring Get proof and summaries of the latest results of Services compliance testing and monitoring, both continuous and periodic. Organizational Practices Corrective Actions Determine what corrective actions are in place when non-compliance is determined. - Are they written? - Have they been published to the user community? - Do they provide for escalating solutions? - Have corrections been confirmed? Organizational Practices Monitoring for License Compliance Analyze whether monitoring techniques for continued compliance follow specified policies and operational guidance. Inventory Control Goals Determine if a risk analysis has been done and, if so, the results. Determine whether the goals for monitoring, control of the software inventory and the distribution over the network include the concept of risk. 3

Cost vs. Benefit Identify the cost factors that management considers appropriate (monetary loss, lawsuit potential, public embarrassment, etc.) Analyze whether the cost of the exposure exceeds the monitoring for noncompliance. Security Methods Evaluate the security methods in place to ensure the proper protection of copyright agreements, licensing agreements, and monitoring methods. - Include both physical (i.e., physical protection of software media, such as CDs), and logical (i.e., access restrictions to installed software libraries). Obsolete Software Identify who is responsible for identifying and disposing of obsolete and/or surplus software. - Inquire as to whether there is any obsolete or surplus software on hand. If there is no one responsible for the determination (another audit issue) observe the premises and inquire of organizational personnel. Review the records of prior disposals. If there is obsolete and/or surplus software on hand: - Inquire as to what steps have been taken to arrange for the disposal or sharing of the items and what supporting documentation exists to verify the actions. - Determine the disposition of depreciable but obsolete software. Depending on the wording of the software license, software that is of no further use in the organization may be sold, disposed of or transferred (providing that it was purchased by the organization in the first place). The sale or disposal must include all of the original media, licenses, user manuals and must be deleted or de-installed from the existing system including backup copies. 4

Storage Determine the adequacy of all software storage areas in terms of environmental protection, access security, and monitoring methods. Sample Inventory Test Policy/Guidance: These steps should be done in a variety of departments and offices. Depending on the determined risk it may be necessary to, on a sample basis, inventory the software installed on the computers attached to the LAN or on departmental computers. - Using software such as SPAudit by Software Publisher's Association can facilitate this process. - If such tool is not available, obtain a current inventory of all installed software packages. If primary licensing controls appear sound, in place, and are functioning, then determine when the last physical inventory of installed software was made. - If current, an independent sample inventory may not be necessary. - If somewhat dated, a sample inventory should be taken. Restrictions on installation of non-official software Identify the specific restrictions on non-official software contained in organizational policy. This may include downloads from the Internet, certain screensaver programs, games, etc. Monitoring for Determine whether the organization has reviewed for compliance with the specific restrictions set out above. - If so, and the review is current, a sample inventory may not be necessary. - If not or the review is not current, a sample inventory is necessary to validate compliance with the policy. Note: If the software original discs, CDROMS, licenses and user manuals have been legally upgraded then there is no legal way that one can dispose of the prior versions as the original upgrades all require original proof of the purchase and as an auditor it needs to be traced. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information